Excel Exasperation, Acrobat Aggro

As The Register has pointed out, the Microsoft Security Bulletin Advance Notification for March 2009 doesn't mention a forthcoming patch for the Excel vulnerability we've already flagged in this blog here and here and here.

Since, as John Leyden remarks, the exploit is being actively exploited, it may seem that Microsoft are not taking the issue seriously enough, though they have already suggested some ways to reduce the risk, and are presumably aware that some anti-malware vendors are detecting the exploit generically - well, we are.

Additionally, the attacks still seem to be targeted rather than random, which keeps the numbers low (though as we pointed out before, a single compromised machine may cause harm to a great many people, if the attacker targeted the "right" person). However, it's worth noting that according to a recent study by Phishme, targeted phishing (so-called spear phishing) may be a lot more effective than we realize. (They also note that phishes that use an "authoritative tone" are a lot more effective than phishes that offer some form of reward or inducement: remember my comments about bossy, bureaucratic phishes?)

Still, I'm not sure Leyden is right to assume that we're not going to see a patch now until April. I don't know how long it will take Microsoft to produce a patch they're happy to release (and I don't think it's totally unreasonable of them to wait till they get right rather than rush out an incompletely tested fix). However, I'd think the publicity alone generated by this issue is probably enough to ensure that they'll put up an out-of-cycle patch when they're ready, if necessary.

Meanwhile, I note that vulnerability researchers are continuing to beaver away at the Acrobat JBIG vulnerability. You might not get too excited at another Proof of Concept PDF that simply crashes Acrobat Reader 9 when it's read - an application crash is unpleasant, but doesn't have quite the excitement of something that installs malware - but a video showing three ways of executing malware withut actually opening the PDF is more interesting. Looking at the detail, this turns out to be less dramatic than it sounds, but given this amount of interest, I hope that Adobe are on target with their fixes.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence